Yangsuite Device IPv6 / SSH Connectivity

[chrisoski]

Hi,

I have a netconf-enabled device that I am having problems connecting to in yangsuite. The device is IPv6-only, and requires an SSH identity file to connect to the netconf listener on 830. I do not have a password for the device - only a key.

I can ping the device by name (via /etc/hosts) or by address using ping6. I can ssh to the device (host, address, user & identity file defined in ~/.ssh/config) on port 830 directly in my local terminal.

When I set up the device in yangsuite, the test connection results in ping failure (ping: cannot resolve <IPv6-address> | <hostname>: Unknown host), and netconf fails (AuthenticationException('Authentication failed.')). I've tried changing the yangsuite device address field to use the hostname defined in /etc/hosts and in ~/.ssh/config, and to use the IPv6 address with and without square brackets. I've also changed the Host entry in ~/.ssh/config between the hostname from /etc/hosts and the device's IPv6 address.

None of those combinations work. It seems like inside yangsuite ping is not using IPv6, and netconf connectivity is not referring to the local ssh config.

With these constraints, is there a path forward to connect to the device using yangsuite?

[miott]

I have yangsuite installed on an ubuntu desktop 20.04 inside my lab network with IPv6 addresses configured on 2 of my lab routers. My "check connectivity" works for ping, ssh, and netconf. All the SSH, ping, and netconf handling is happening on the host you have yangsuite installed on not the host the web browser is running on. Are you testing the ping, SSH, and netconf from the host running the yangsuite server? I am not familiar with the "SSH identity file" so I will have to investigate that.

[miott]

Ok went right over my head. By "SSH identity file", you mean the keys stored in ~/.ssh/ directory. Might want to check your known_hosts file and make sure it matches the IPv6 address. This will be in the home directory/.ssh/ of the user that logged into the yangsuite server terminal. Test the ping, ssh, and netconf from that host.
Netconf test from terminal:

ssh -p 830 -s <device username>@<IPv6 address> netconf

You will be prompted for password and should receive the netconf hello packed.

[chrisoski]

Hi miott,

Are you testing the ping, SSH, and netconf from the host running the yangsuite server?

Yes, all of those work to the end device from the host running the server. There is an entry for the end device with an address that matches what was used as the device's address in yangsuite in ~/.ssh/known_hosts.

You will be prompted for password and should receive the netconf hello packed.

The difference is that I am only authenticating with SSH keys, so there is no prompt for a password. Once SSH connects on port 830, the netconf hello is received.

[miott]

Looking at the underlying python libraries handling this connection from yangsuite to device, I see nothing preventing passwordless ssh from working. I will have to set this up in one of my lab devices and see if changes need to be made to yangsuite. Right now I have no answers.

[miott]

Found the issue. I have opened a ticket to fix this in yangsuite-netconf. In the meantime, you can add the proper parameters in your yangsuite virtualenv.

Edit yangsuite/venv/lib/python3.X/site-packages/ysnetconf/nconf.py line 1761 you will see kwargs. Add these two parameters:

    'allow_agent': False,
    'look_for_keys': True,

You could also point to your ssh_config file by adding this parameter but it shouldn't be required:

    'ssh_config': True,

This all assumes you have the keys and ssh_config file in the standard ~/.ssh/ directory. If they are stored in another directory set 'ssh_config': '/path/to/ssh_config/file' and add 'key_filename': '/path/to/private/keys/'.

Make sure you don't have "Skip SSH key validation for this device" checked in the device profile.

Let me know if it works for you.

[chrisoski]

I made three changes to nconf.py, adding the following:

    'allow_agent': False,
    'look_for_keys': True,
    'ssh_config': True,

I initially did not add the ssh_config parameter - that did not work.

After adding ssh_config in addition to the first two parameters the netconf connectivity test to my device worked! Ping and SSH still fail, but the application is now able to communicate with my device using netconf.

Thanks for your assistance!

[miott]

I made three changes to nconf.py, adding the following:

    'allow_agent': False,
    'look_for_keys': True,
    'ssh_config': True,

I initially did not add the ssh_config parameter - that did not work.

After adding ssh_config in addition to the first two parameters the netconf connectivity test to my device worked! Ping and SSH still fail, but the application is now able to communicate with my device using netconf.

Thanks for your assistance!

Good to hear that. Is it possible for me to get a redacted copy of your ssh_config? No ip addresses or other sensitive info. I would like to understand why you required ssh_config.

[chrisoski]

Sure thing:

Host *
    ControlPath ~/.ssh/controlmasters/%r@%h:%p
    ControlMaster auto
    ControlPersist 5m

Host <Hostname1>
    HostName <IPv4>
    User <UID>
    ForwardAgent yes

Host <Hostname2>
    HostName <IPv4>
    User <UID>
    ForwardAgent yes

Host <Hostname3>
     HostName <IPv4>
     User <UID>
     ForwardAgent yes

Host <Hostname4>
    HostName <IPv4>
    User <UID>
    ForwardAgent yes

Host <Hostname5>
    HostName <IPv4>
    User <UID>
    ForwardAgent yes

Host <Hostname6>
    HostName <IPv4>

Host <Hostname7>
    User <UID>
    HostName <IPv4>

Host <NetconfHostname>
    HostName <IPv6>
    User <NetconfUID>
    IdentityFile </path/that/isn't/~/.ssh/identity_file>

The last entry is the device I had problems connecting to in yangsuite.

• I had previously made attempts to use both NetconfHostname and IPv6|[IPv6] in the yangsuite device address field. The address field is currently set to NetconfHostname in the yangsuite device profile. There is a corresponding entry in /etc/hosts that maps hostname to address.
• UID is the primary / corporate username that I use on the workstation running yangsuite. NetconfUID is a different username.
• Because the netconf host uses a different username, I have the identity file for the host stashed in a directory other than ~/.ssh.

The first entry defining session sharing for all devices was added yesterday for reasons other than trying to get yangsuite working. That may or may not be important, but it was not present when I initially created the device profile in yangsuite.